Vulnerability Details CVE-2022-2546
The All-in-One WP Migration WordPress plugin before 7.63 uses the wrong content type, and does not properly escape the response from the ai1wm_export AJAX action, allowing an attacker to craft a request that when submitted by any visitor will inject arbitrary html or javascript into the response that will be executed in the victims session. Note: This requires knowledge of a static secret key
Exploit prediction scoring system (EPSS) score
EPSS Score 0.642
EPSS Ranking 98.4%
CVSS Severity
CVSS v3 Score 4.7
References
Products affected by CVE-2022-2546
-
cpe:2.3:a:servmask:all-in-one_wp_migration:-
-
cpe:2.3:a:servmask:all-in-one_wp_migration:7.39
-
cpe:2.3:a:servmask:all-in-one_wp_migration:7.40
-
cpe:2.3:a:servmask:all-in-one_wp_migration:7.41
-
cpe:2.3:a:servmask:all-in-one_wp_migration:7.42
-
cpe:2.3:a:servmask:all-in-one_wp_migration:7.43
-
cpe:2.3:a:servmask:all-in-one_wp_migration:7.44
-
cpe:2.3:a:servmask:all-in-one_wp_migration:7.45
-
cpe:2.3:a:servmask:all-in-one_wp_migration:7.46
-
cpe:2.3:a:servmask:all-in-one_wp_migration:7.47
-
cpe:2.3:a:servmask:all-in-one_wp_migration:7.48
-
cpe:2.3:a:servmask:all-in-one_wp_migration:7.49
-
cpe:2.3:a:servmask:all-in-one_wp_migration:7.50
-
cpe:2.3:a:servmask:all-in-one_wp_migration:7.51
-
cpe:2.3:a:servmask:all-in-one_wp_migration:7.52
-
cpe:2.3:a:servmask:all-in-one_wp_migration:7.53
-
cpe:2.3:a:servmask:all-in-one_wp_migration:7.54
-
cpe:2.3:a:servmask:all-in-one_wp_migration:7.55
-
cpe:2.3:a:servmask:all-in-one_wp_migration:7.56
-
cpe:2.3:a:servmask:all-in-one_wp_migration:7.57
-
cpe:2.3:a:servmask:all-in-one_wp_migration:7.58
-
cpe:2.3:a:servmask:all-in-one_wp_migration:7.59
-
cpe:2.3:a:servmask:all-in-one_wp_migration:7.60
-
cpe:2.3:a:servmask:all-in-one_wp_migration:7.61
-
cpe:2.3:a:servmask:all-in-one_wp_migration:7.62